VYPR
← All advisories
High severityNVD Advisory· Published Mar 28, 2019· Updated Aug 4, 2024

CVE-2019-0222

CVE-2019-0222

Description

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unmarshalling corrupt MQTT frames in Apache ActiveMQ 5.0.0–5.15.8 triggers an OutOfMemoryError, crashing the broker.

Vulnerability

A flaw in the MQTT protocol handling within Apache ActiveMQ versions 5.0.0 through 5.15.8 allows an attacker to send a specially crafted, corrupt MQTT frame. When the broker unmarshals this frame, an improper validation of the incoming data triggers an OutOfMemoryError, causing the broker to become unresponsive. The code path is reachable by any client that can establish an MQTT connection to the broker; no special configuration is required beyond enabling the MQTT transport connector [1][3].

Exploitation

An attacker needs network access to an ActiveMQ broker that accepts MQTT connections (the default port is 1883). No authentication or prior session is required. The attacker sends a single malformed MQTT frame. The broker’s unmarshalling logic, as seen in the fix [4], previously failed to properly validate the frame content, leading to excessive memory allocation. The attacker does not need elevated privileges or additional user interaction—the attack can be carried out in a single unauthenticated request [3].

Impact

A successful exploit results in a denial-of-service (DoS) condition. The ActiveMQ broker consumes all available heap memory and throws an OutOfMemoryError, which renders the broker unresponsive and unable to process legitimate messages. The impact is limited to availability; there is no evidence of information disclosure, data corruption, or remote code execution. The broker must be restarted to recover service [1][3].

Mitigation

Apache ActiveMQ 5.15.9, released on March 27, 2019, contains the fix for CVE-2019-0222 [3]. The fix upgrades the MQTT client library from version 1.14 to 1.15, which includes proper validation of frame data [4]. Users running any version from 5.0.0 through 5.15.8 should upgrade to 5.15.9 or later. As a workaround, administrators can disable the MQTT transport connector if it is not required. This vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. NVD - CVE-2019-0222
  2. oss-security - [ANNOUNCE] CVE-2019-0222 - Apache ActiveMQ: Corrupt MQTT frame can cause broker shutdown
  3. AMQ-7166 - upgrade mqtt client library · apache/activemq@f78c096

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.activemq:activemq-clientMaven
>= 5.0.0, < 5.15.95.15.9

Affected products

2

Patches

2
f78c0962ffb4

AMQ-7166 - upgrade mqtt client library

https://github.com/apache/activemqDejan BosanacMar 11, 2019via ghsa
commit
2 files changed · +26 1
  • activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/MQTTCodecTest.java+25 0 modified
    @@ -19,7 +19,9 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
+import java.net.ProtocolException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
@@ -34,6 +36,7 @@
 import org.fusesource.mqtt.codec.MQTTFrame;
 import org.fusesource.mqtt.codec.PUBLISH;
 import org.fusesource.mqtt.codec.SUBSCRIBE;
+import org.fusesource.mqtt.codec.UNSUBSCRIBE;
 import org.junit.Before;
 import org.junit.Test;
 import org.slf4j.Logger;
@@ -254,6 +257,28 @@ public void testMessageDecoding() throws Exception {
         assertEquals(MESSAGE_SIZE, publish.payload().length());
     }
 
+    @Test
+    public void testMessageDecodingCorrupted() throws Exception {
+        UNSUBSCRIBE unsubscribe = new UNSUBSCRIBE();
+
+        MQTTFrame frame = unsubscribe.encode();
+
+        DataByteArrayOutputStream str = new DataByteArrayOutputStream(5);
+        str.write(new byte[] {0,0,0,0,0});
+
+        frame.buffers[0] = str.toBuffer();
+
+        boolean decodingFailed = false;
+        try {
+            unsubscribe.decode(frame);
+        } catch (ProtocolException pe) {
+            decodingFailed = true;
+        }
+        if (!decodingFailed) {
+            fail("Should have failed decoding the frame");
+        }
+    }
+
     @Test
     public void testMessageDecodingPerformance() throws Exception {
  • pom.xml+1 1 modified
    @@ -97,7 +97,7 @@
     <mockito-version>1.10.19</mockito-version>
     <owasp-dependency-check-version>3.3.0</owasp-dependency-check-version>
     <powermock-version>1.6.5</powermock-version>
-    <mqtt-client-version>1.14</mqtt-client-version>
+    <mqtt-client-version>1.15</mqtt-client-version>
     <openjpa-version>1.2.0</openjpa-version>
     <org-apache-derby-version>10.14.2.0</org-apache-derby-version>
     <org.osgi.core-version>4.3.1</org.osgi.core-version>
98b9f2e

AMQ-7166 - upgrade mqtt client library

https://github.com/apache/activemqDejan BosanacMar 11, 2019via ghsa
commit
2 files changed · +26 1
  • activemq-mqtt/src/test/java/org/apache/activemq/transport/mqtt/MQTTCodecTest.java+25 0 modified
    @@ -19,7 +19,9 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
+import java.net.ProtocolException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
@@ -34,6 +36,7 @@
 import org.fusesource.mqtt.codec.MQTTFrame;
 import org.fusesource.mqtt.codec.PUBLISH;
 import org.fusesource.mqtt.codec.SUBSCRIBE;
+import org.fusesource.mqtt.codec.UNSUBSCRIBE;
 import org.junit.Before;
 import org.junit.Test;
 import org.slf4j.Logger;
@@ -254,6 +257,28 @@ public void testMessageDecoding() throws Exception {
         assertEquals(MESSAGE_SIZE, publish.payload().length());
     }
 
+    @Test
+    public void testMessageDecodingCorrupted() throws Exception {
+        UNSUBSCRIBE unsubscribe = new UNSUBSCRIBE();
+
+        MQTTFrame frame = unsubscribe.encode();
+
+        DataByteArrayOutputStream str = new DataByteArrayOutputStream(5);
+        str.write(new byte[] {0,0,0,0,0});
+
+        frame.buffers[0] = str.toBuffer();
+
+        boolean decodingFailed = false;
+        try {
+            unsubscribe.decode(frame);
+        } catch (ProtocolException pe) {
+            decodingFailed = true;
+        }
+        if (!decodingFailed) {
+            fail("Should have failed decoding the frame");
+        }
+    }
+
     @Test
     public void testMessageDecodingPerformance() throws Exception {
  • pom.xml+1 1 modified
    @@ -97,7 +97,7 @@
     <mockito-version>1.10.19</mockito-version>
     <owasp-dependency-check-version>3.3.0</owasp-dependency-check-version>
     <powermock-version>1.6.5</powermock-version>
-    <mqtt-client-version>1.14</mqtt-client-version>
+    <mqtt-client-version>1.15</mqtt-client-version>
     <openjpa-version>1.2.0</openjpa-version>
     <org-apache-derby-version>10.14.2.0</org-apache-derby-version>
     <org.osgi.core-version>4.3.1</org.osgi.core-version>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

35

News mentions

0

No linked articles in our index yet.